Tailscale ok but no subnet hosts can be reached?

I first sorry that I post my tailscale problem here, but I guess it's related to my OpenWRT setup and I just didn't managed all the aspects beside the package ....

So my existing OpenWRT router had became tailscale installed sucessfully, used the --netfilter-mode=off and this node is online at the tailscale dashboard. Also my little Ubuntu Notebook became a tailscale installation and is a tailscale node that is online. Both can TS ping each other, fine!

Now I try to realize the classical roadwarrior VPN scenario with split tunnel, where my netbook can access all the internal LAN devices via VPN. Therefore, my router TS node became the subnet flag and shares the internal 172.16..... subnet that it also manages.
Furthermore, I added a dedicated firewall zone, both like described at the OpenWRT Tailscale Wiki page. The dashboard lists the subnets for the router node, so this looks fine!

Unfortunately, I can only ping the internal IPv4 IP of my router, but have no success to contact the other devices on the LAN subnet. I just dont know if I miss to add a static route to the netbook, or if the routers FW will need a few more tweaks.

Anybody experienced admin willing to help on debugging my setup? :frowning:

on your home network, did you use --advertise-routes and pointed to your internal network subnet (192.168.x.x/24) and approve it on the tailscale admin panel?

Hi, thanks for jumping in :slight_smile:

In the meantime, I managed at least to get a proper IP connection to each LAN device. I just removed all the Firewall rules and zones and started from scratch, carefully following the wiki page. Et voilĂ  it just works :+1:

But I still struggle on DNS. My OpenWRT does provide a central DNS for my LAN by assigning .lan suffix. Now I set DNS at the Tailscale Concole as Split DNS with

Nameserver 172.16.40.1
Restrict to domain: yes
Domain lan

And add "lan" as a Search Domain below.

I stumbled upon a tailscale client bug preventing the internal firewall on client side to block DNS requests and causing DNS time-outs.
But even with fixed firewall I still dont get DNS resolution if I ping / hist / nslookup myrouter.lan :cry:

Can anybody point me how to debug DNS resolution? So I can check if it's a problem of the client adding my private DNS or if my DNS server is blocking the sucessfull requests of the client via Tailscale?

In tailscale console, use the tailscale IP for your OpenWRT router instead of the private network IP. This works for me.